Privacy Commissioner decision provides guidance for parties to M&A transactions

The Privacy Commissioner of Canada’s decision regarding the Starwood/Marriott data security breach provides important guidance for parties to M&A transactions and for all organizations that handle personal information.

Marriott International (Marriott) acquired Starwood Hotels (Starwood) through a share purchase transaction in September 2016. Marriott assessed Starwood’s IT practices as part of the transaction due diligence. After the transaction, the Starwood and Marriott computer networks were kept separate, and Marriott implemented measures to improve the security of the Starwood network until it could be decommissioned. Marriott planned to integrate aspects of the networks within 18 months, but the integration was not completed until December 2018.

In September 2018, Marriott discovered a breach of the Starwood network involving unauthorized access to a Starwood guest reservation database of up to approximately 339 million customer records (including up to 12.8 million records of Canadian individuals) that included guest profiles and contact details, account and reservation information, and for some individuals passport details (which in some cases was unencrypted) and encrypted payment card details. The breach occurred over four years – from July 2014 until September 2018. The unknown attacker took steps to prepare to exfiltrate data from the Starwood network, but Marriott was unable to determine whether the attacker had successfully done so.

In November 2018, Marriott publicly announced the breach and reported the breach to the Office of the Privacy Commissioner of Canada (OPC). Marriott contained and investigated the breach, gave affected individuals direct and indirect notice of the breach, decommissioned the Starwood database, and enhanced the security safeguards of its systems based on lessons learned from the breach. Class action lawsuits relating to the breach were commenced against Marriott in Canada and the United States, and the United Kingdom Information Commissioner’s Office investigated the breach.

Read our bulletin on this topic.

This content has been updated on December 14, 2022 at 15 h 12 min.